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Abstract. We formalise the pi-calculus using the nominal datatype package, based on 
ideas from the nominal logic by Pitts et al., and demonstrate an implementation in Is- 
abelle/HOL. The purpose is to derive powerful induction rules for the semantics in order 
to conduct machine checkable proofs, closely following the intuitive arguments found in 
manual proofs. In this way we have covered many of the standard theorems of bisimulation 
equivalence and congruence, both late and early, and both strong and weak in a uniform 
manner. We thus provide one of the most extensive formalisations of a process calculus 
ever done inside a theorem prover. 

A significant gain in our formulation is that agents are identified up to alpha-equivalence, 
thereby greatly reducing the arguments about bound names. This is a normal strategy for 
manual proofs about the pi-calculus, but that kind of hand waving has previously been 
difficult to incorporate smoothly in an interactive theorem prover. We show how the nom- 
inal logic formalism and its support in Isabelle accomplishes this and thus significantly 
reduces the tedium of conducting completely formal proofs. This improves on previous 
work using weak higher order abstract syntax since we do not need extra assumptions to 
filter out exotic terms and can keep all arguments within a familiar first-order logic. 



1. Introduction 

1.1. Motivation. As the complexity of software systems increases, tlie need is growing 
to ensure their correct operation. One way forward is to create particular theories or 
frameworks geared towards particular application areas. These frameworks have the right 
kind of abstractions built in from the beginning, meaning that proofs can be conducted at a 
high level. The drawback is that different areas need different such frameworks, resulting in 
a proliferation and even abundance of theories. A prime example can be found in the field 
of process calculi. It originated in work by Milner in the late 1970s [27] and was intended 
to provide an abstract way to reason about parallel and communicating processes. Today 
there are many different strands of calculi addressing specific issues. Each of them embodies 
a certain kind of abstraction suitable for a particular area of application. 

For each such calculus a certain amount of theoretical groundwork must be laid down. 
Typical examples include definitions of the semantics, establishing substitutive properties, 
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structures for inductive proof strategies etc. This groundwork must naturally be correct 
beyond doubt (if there is an error in it then all proofs conducted in that calculus will be 
incorrect). The idea to use formal verification of the groundwork itself is therefore natural. 
In this paper we shall present an improved method to accomplish this. 

1.2. Theorem provers. There exist today several proof assistants, aka theorem provers: 
Coq [llj, Isabelle [32], Agda [I], PVS [M], Nuprl [1^ and HOL [23], just to name a few. 
These theorem provers are interactive. They have many automated tactics, and the user can 
provide additional proof strategies. Many are also getting better and easier to use, and so the 
concept of having fully machine checked proofs has recently become far more realistic. As 
an indication of this several major results have been proven over the last few years, including 
the four and five colour theorems [7il22j, Kepler's conjecture ^33j and Godel's incompleteness 
theorem [H] . Significant advances in applications related to software are summarized in the 
POPLmark Challenge [6], a set of benchmarks intended both for measuring progress and 
for stimulating discussion and collaboration in mechanizing the metatheory of programming 
languages. There are for example results on analysis of typing in system F and light versions 
of Java. The theorem prover Isabelle is also currently used to verify software in the Verisoft 
project [3]. 

We want to emphasize that these types of tools are now being transferred to industry. 
In [12], a group at Microsoft Research in Cambridge compiles a subset of Fjj (a Microsoft 
product) code to the pi-calculus and security properties are checked using ProVerif [13]. This 
work was later extendend in [9] where a cryptographic type checker was constructed for FjJ 
which handles a larger set of problems. The ideas from these are now being transferred 
into other Microsoft products. Also, the Spec^ [2] programming system is integrated in 
the Microsoft Visual Studio environment for the .NET platform and contains an automatic 
theorem prover. 

1.3. The vr-calculus. As the basic underlying model we have chosen the vr-calculus, which 
since its conception in the late 1980s by Milner, Parrow and Walker [30] has had a signifi- 
cant impact on the way formal methods handle mobile systems. The mechanism of name- 
passing, in combination with the paradigm of static binding, where the scope of names 
may be dynamically extended by means of communication to include the receiver, has 
turned out to be surprisingly expressive for a vast variety of programming idioms: abstract 
data types, lambda-calculus, i.e. functional programming, object-oriented programming, 
imperative programming, logic and concurrent constraint programming, and primitives for 
encryption/decryption. The 7r-calculus has influenced the development of many high-level 
programming languages and it has triggered a whole family of related calculi, e.g. spi [5], 
join [17J, fusion [36j, blue [T4|, the applied vr-calculus [4J and ambients [15]. In essence, the 
vr-calculus has now grown out of a single formalism into a general field where components of 
formalisms, such as operators, semantics and proof methods, can be more freely combined. 

1.4. Approach. The goal of our project is to provide a library in an automated theorem 
prover, Isabelle/HOL [32], which allows users to do machine checked proofs on the ground- 
work of process calculi. The guiding principle is that the proofs should correspond very 
closely to the traditional manual proofs present in the literature. This means that for a 
person who has completed these proofs manually very little extra effort should be required 
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in order to let Isabelle check them. Today those proofs are reasonably well understood, 
but capturing them in a theorem prover has until now been a daunting task. The reason is 
mainly related to bound names and the desire to abstract away from a-equivalence [6j. 

In the literature it is not uncommon to find statements such as: "henceforth we shall not 
distinguish between a-equivalent terms" or "we assume bound names to always be fresh", 
even though it is left unsaid exactly what this means. In [30] Sangiorgi and Walker write: 
In any discussion, we assume that the bound names of any processes or ac- 
tions under consideration are chosen to be different from the names free in 
any other entities under consideration, such as processes, actions, substitu- 
tions and sets of names. 
And in [35] we can find: 

... we will use the phrase "6n(a) is fresh" in a definition to mean that the 
name in bn(a), if any, is different from any free name occurring in any of 
the agents in the definition. 

This kind of reasoning does not necessarily imply that proofs conducted in this manner 
are incorrect, only that they are not fully formalised. 

Our approach is to formulate the 7r-calculus using ideas from nominal logic developed 
by Pitts et al. [37l Ell US] • This is a first order logic designed to work with calculi using 
binders. It maintains all the properties of a first order logic and introduces an explicit 
notion of freshness of names in the terms. Gabbay's thesis [18] uses it to introduce FM 
set theory, this is the standard ZF set theory but with an extra axiom for freshness of 
names. Recent work by Urban and Tasson [43] extends this work using ideas from [37J and 
solves the problem with freshness without introducing new axioms. The techniques have 
been implemented into the theorem prover Isabelle/HOL, in a nominal datatype package, 
so that when defining nominal datatypes, Isabelle will automatically generate a type which 
models the datatype up to a-equivalence as well as induction principles and a recursion 
combinator allowing the user to create functions on nominal datatypes. 

1.5. Results. Our contribution is to use the nominal package in Isabelle to describe the 
TT-calculus. We have proved substantial portions of [30] using these techniques. More 
specifically, we have proven that strong equivalence and weak congruence are congruence 
relations for both late and early operational semantics, that all structurally congruent terms 
are bisimilar and that late strong equivalence, weak bisimulation and weak congruence are 
included in their early counterparts. To our knowledge, properties about weak equivalences 
of the TT-calculus have never before been formally derived inside a theorem prover. Our 
proof method is to lift the strong operational semantics to a weak one, enabling us to port 
our proofs between the two semantics. Moreover, our proofs follow their pen-and-paper 
equivalents very closely inside a first-order environment. In other words, the extra effort to 
have proofs checked by a machine is not prohibitive. 

1.6. Exposition. In the next section we explain some basic concepts of the nominal datatype 
package. We do not give a full account of it, only enough that a reader may follow the rest 
of our paper. In Section [3] we cover the strong late operational semantics of the 7r-calculus 
as well as the induction and case analysis rules we have created for the semantic rules. Sec- 
tion H] treats strong late bisimulation, the proofs that it is preserved by all operators except 
input prefix and that strong equivalence is a congruence. In Section [5] we show the proof 
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strategies for one of our main results in depth demonstrating how closely our formalised 
proofs map their pen-and-paper equivalents. Section [6] handles the structural congruence 
rules and the proof that all structurally congruent terms are also bisimilar. We cover the 
weak late operational semantics in Section [7] and prove that weak bisimulation is preserved 
by all operators except sum and input prefix and that weak congruence is a congruence. In 
Section [8] we formalise the early vr-calculus, both strong and weak, and prove all the results 
which we have for the late semantics for early. We also prove that all late bisimulation rela- 
tions are a subset of their corresponding early ones. In the concluding section we compare 
our efforts to related work and comment on planned further work. The Isabelle source files 
can be found at http://www.it.uu.se/katalog/jesperb/pi. 

2. The pi-calculus in Isabelle 

For a more thorough presentation of the nominal datatype package in Isabelle the reader is 
referred to ^43j, but enough basic definitions will be covered here for the reader to understand 
the rest of this paper. A nominal datatype definition is like an ordinary data type but it 
explicitly tags the binding occurrences of names. For example, a data type for A-calculus 
terms would in this way tag the name in the abstraction. The point is that the nominal 
package in Isabelle automatically generates induction rules where a-equivalent terms are 
identified, thus saving the user much tedium in large proofs. 

At the heart of nominal logic is the notion of name swapping where names are a count- 
ably infinite set of atomic terms. If T is any term of permutation type (a term which 
supports permutations of its names) and a and b are names then (a h) • T denotes the 
term where all instances of a in T become h and vice versa. All names (even the binding 
and bound occurrences) are swapped in this way. A permutation p is a finite sequence of 
swappings. If p = (ai hi) ■ ■ ■ {an bn) then p • T means applying all swappings in p to T, 
beginning with the last element (a„ 6„). 

Permutations are mathematically well behaved. They very rarely change the properties 
of a term. Most importantly, a-equivalence is preserved by permutations. The property of 
being preserved by permutations is often called equivariance. We shall mainly use equivari- 
ance on binary relations, where the definition is: 

Definition 2.1. Equivariance 

eqvt n = yp T U. {T, U) £ TZ ^ {p • T, p • U) e TZ 

Another key concept is the notion of support. The definition, in general, is that the support 
supp T of a term T is the set of names which can affect T in permutations. In other 
words, if p is a permutation only involving names outside the support of T then p •T = T. 
Remembering that a-equivalent terms are identified we see that the support corresponds to 
the free names in calculi like the A-calculus. 

A crucial property is that the support of a term is finite. This implies that for any term 
it is always possible to find a name outside its support. We say that a name a is fresh for 
a term T, written a jj T, if a is not in the support of T. 

Permutations can be used to capture a-equivalence. Let [x].T stand for any operator 
that binds x in T. 



Proposition 2.2. [x].T = [y].U =^ {x = y AT = U) V {x ^ y A x ]\ U AT = {x y) • U) 
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If [x].T = [y].U then either x and y are equal and T and U are a-equivalent or x is not 
equal to y and fresh in U and T is a-equivalent to U with all occurrences of x swapped with 
y and vice versa. Another way to capture a-equivalence is the following: 

Proposition 2.3. c tJ {x, y, T, U) A [x].T = [y].U ^ {x c) • T = {y c) • U 

Here and in the rest of the paper we use the word "proposition" for something that Isabelle 
generates automatically. 

We use a version of the monadic vr-calculus |30] , and assume that the reader is familiar 
with the basic ideas of its syntax and semantics. 

Definition 2.4. Defining the vr-calculus in Isabelle. 

Nominal declaration in Isabelle Notation in this paper 

nominal_datatype pi = PiNil 



Tau pi 


T.P 


Input name "«name» pi" 


a{x).P 


Output name name pi 


ab.P 


Match name name pi 


[a = h]P 


Mismatch name name pi 


[a + b]P 


Sum pi pi 


P + Q 


Par pi pi 


P 1 Q 


Res "«name» pi" 


{vx)P 


Bang pi 


\p 



This definition is an example of Isabelle notation, where <Sname:^ pi indicates that name 
is bound in pi. For the rest of the paper we shall use the traditional notation for vr-calculus 
terms as specified in the previous definition. 

The nominal datatype package automatically generates lemmas for reasoning about 
a-equivalence between processes - the ones generated from Prop. 12.21 can be found in the 
following proposition. 

Proposition 2.5. The most commonly used a-equivalence rules for the Input- and the 
Restriction case. 

Input: a{x).P = b{y).Q ^ a = bA ((x = y A P = Q) V 

ix^yAx^QAP = {xy)»Q)) 
Restriction: {ux)P = {yy)Q =^ {x = y A P = Q) V 

(x 7^ y A X Jj (5 A P = (x y) • Q) 

Most modern theorem provers automatically generate induction rules for defined datatypes. 
The nominal datatype package does the same for nominal datatypes but with one addition: 
bound names which occur in the inductive cases can be assumed to be disjoint from any 
finite set of names. This greatly reduces the amount of manual a-conversions. 

Functions over nominal datatypes have one restriction - they may not depend on the 
bound names in their arguments. Since nominal types are equal up to a-equivalence two 
equal terms may have different bound names. When creating recursive functions over 
nominal datatypes in Isabelle, one has to prove that this property holds for all instantiations 
of the function. The nominal package provides the appropriate proof conditions. 
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Our only nominal function is substitution where P{a/b} (which can be read P with a 
for b) is the agent obtained by replacing all free occurrences of 6 in P with a. 

3. Operational semantics 

3.1. Definitions. We use the standard operational semantics [30]. Here transitions are of 
the form P P', where a is an action. A first attempt, which works well for simpler 
calculi like CCS, is to inductively define a set of tuples containing three elements: a process 
P, an action a and the a-derivative of P [8]. 

However, in the vr-calculus the action a may bind a name, and the scope of this binding 
extends into P'. This observation is made already in the original presentation of the vr- 
calculus [30] where lemmas concerning variants of transitions are spelled out. In his tutorial 
on the polyadic pi-calculus [28j Milner uses "commitments" rather than labelled transitions. 
A transition here corresponds to a pair consisting of an agent and a commitment where the 
latter may have binders and contains both the action and derivative process. We thus 
face a discrepancy between a more traditional syntax for transitions (looking like tuples 
of three elements) and the intended semantics (that action and derivative in reality is 
one construct with names that can be bound in all of it). In many presentations of the 
TT-calculus this issue is glossed over, and if a-conversions are not defined rigorously the 
three-element syntax for transitions works fine. But here it poses a problem — it would 
require us to explicitly state the rules for changing the bound variable, and we would not be 
able to rely on the otherwise smooth treatment of a-variants in our framework. Therefore, 
in our implementation we follow [28], with a slight change of notation to avoid confusion 
of prefixes and commitments, and define a residual-datatype which contains both action 
and derivative. It binds the bound names of an action also in the derivative. (A similar 
technique is also used by Gabbay when formalising the vr-calculus in FM set theory |20j.) 

Definition 3.1. The residual datatype 
datatype subject = Input name 

I BoundOutput name 

datatype freeRes = Output name name 
I Tau 

nominal_datatype residual = BoundResidual subject "<<name>> pi" 

I FreeResidual freeRes pi 

In this paper we shall continue to write pairs of processes and residuals as transitions 
in the familiar way, and we need to distinguish between actions that bind names and those 
that do not. We introduce the following notation. 

Definition 3.2. 

(i) P "'^^'^> P' denotes a transition with the bound name x in the action. Note that a 
is of type subject. The residual by itself is written a<Ca;^ -< P' . 

(ii) P P' denotes a transition without bound names. Note that a is of type freeRes. 
The residual by itself is written a < P' . 

(iii) A transition can also be written as P i — > Res where P is an agent and Res is a 
residual, for example t.P i — > t < P 
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(x).P ^ P Input ab.P ^ .P Output t.P ^ P Tau 

Pi — ^ Res Pi — > Res a^b 

Match - — — Mismatch 



[a = a]P I — > Res [a ^ b]P i — ^ Res 

P ^P' a^b P^Res P ^^^^ P' x%Q 

— — ^ ^7775 Open Sum ; „^^^ r-; ParB 

[vb)P ^ P^ ^ P + — > Res P\Q ^^^^ P' I Q 

p J^pt p a(£l^ pi Q^Q' 

ParF — ■ = T- — — — — 7 Comm 



P\Q^P' \ Q P\Q^ P'{b/x} I Q' 

p p' Q^Q' y^p p i^<5>, p' y ^a, X) 

P\Q^ {uy){P'{y/x} I Q') "^^"'^ {uy)P (z.^jp^ ^^'^ 

P ^P' y^a P\\P ^P' 

- — — ; — ; — 7 ResF — ; ; — Rephcatiou 

{vy)P {uy)P' \P ^P' ^ 



Figure 1: The Par- and the Res-ivle in the operational semantics of the vr-calculus have 
been split. Symmetric versions have been elided. 



As previously mentioned, functions over nominal datatypes cannot depend on bound names. 
This poses a slight problem, since traditionally some of the operational rules have condi- 
tions on the bound names. An example of this is the Par rule in the standard operational 
semantics which states that the transition P | Q P' | Q can occur only if P P' 
and bn(a) fl fn(Q) = 0. A function such as bn does not exist in nominal logic and thus 
cannot be created using the nominal datatype package. An easy solution is to split the op- 
erational rules which have these types of conditions into two rules — one for the transitions 
with bound names, and one for the ones without. Doing this does not create extra proof 
obligations as most proofs have to consider bound and free transitions separately anyway. 
We can now define our operational semantics using inductively defined sets which will 
contain pairs of processes and residuals. The Semantics, including the split rules for Par 
and Res can be found in Fig. [TJ 

As mentioned previously, permutations are usually very well behaved. The following 
proposition is generated automatically by the nominal package. 

Proposition 3.3. P i — > Res =^ p • P i — > p • Res 
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3.2. Induction and case analysis rules. 

3.2.1. Automatically generated rules. Isabelle will automatically create rules for both in- 
duction and case analysis of the semantics. They are specifically tailored to allow induction 
over all possible transitions but can also be custom made to do induction or case analysis 
over specific types of processes, such as those composed by the |-operator. They will have 
an assumption of the form P i — > Res, which is the term with which we are working, and 
a logical proposition Prop which is what we want to prove. When applied these rules will 
generate a set of subgoals where every subgoal corresponds to one action that the process P 
could take to end up in Res - in short. Prop needs to be proven for all possible transitions 
for the rule to hold. The rules do, however, assume that the equivalence relation used is 
syntactic equivalence and not a-equivalence. The nominal datatype package automatically 
creates induction rules for nominal datatypes as well as for inductively defined sets or pred- 
icates. The induction rule generated for the semantics is the largest possible one which does 
induction over all operational rules and there is currently no way to automatically generate 
case analysis rules for transitions of a certain form. To derive rules for the cases which do 
not make use of bound names is unproblematic. In fact, Isabelle will be able to derive the 
following case analysis rules with very little help. 

Proposition 3.4. The automatically generated case analysis rule for tau-transitions. 

T.P ^ P' 

a = T f\P = P' Prop 
Prop 

Proposition 3.5. The automatically generated case analysis rule for output transitions. 

ab.P P' 
a = abAP = P' =^ Prop 

Prop 

Proposition 3.6. The automatically generated case analysis rule for matches. 

[a = b]P I — > Res 
a = b A P I — > Res Prop 
Prop 

Proposition 3.7. The automatically generated case analysis rule for mismatches. 

[a ^ b]P I — y Res 
a ^ b A P I — y Res => Prop 
Prop 

Proposition 3.8. The automatically generated case analysis rules for sums. 

P + Q> — > Res 
P I — > Res =^ Prop 
Q I — > Res Prop 

Prop 

The rest of the rules generated by Isabelle for our operational semantics deal with bound 
names and suffer from three problems, which we now address in turn. 
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3.2.2. Problems with generated bound names. The first problem is that some semantic case 
analysis rules generate bound names. When the rule is applied in the context of a proof, 
there is no a priori guarantee that these names are fresh in this larger context. We therefore 
derive rules for induction and case analysis which are parameterized on a finite set of names, 
the "context names", which the user can provide when applying the rule. The bound 
names generated by the rules are guaranteed to be fresh from the context names (just as is 
guaranteed for induction rules genereated by the nominal package, and for the same reason: 
avoiding name clashes and a-conversions later in the proof). This idea stems from [l3] but 
was developed independently of similar work in [35]. The logical framework has also been 
covered in [38]. 

As an example a derived rule for case analysis of the parallel operator is shown in the 
following proposition where the parameter C represents a set of context names and can be 
instantiated with any nominal datatype: 

Lemma 3.9. The derived case analysis rule for the parallel operator with no bound names 
in the transition. 

P\Q^R 

VP'. P ^ P' AR = P' I Prop 
VQ'. Q^Q'AR = P\Q'^ Prop 
\/P' Q' axb.P^P' AQ^Q' Aa = TA 

R = P'{b/x] \Q' Ax^e^ Prop 
yP' Q' axb.P^P'AQ^Q'Aa = TA 

R = P' \ Q'{b/x} Ax Prop 
VP' Q' axy.P ^ P' AQ ^ Q' Ay ^ P Aa = T A 

R = {iyy){P'{y/x} \Q')Ax^CAy\lC^ Prop 
VP' Q' axy.P ^ P' AQ ^ Q' Ay ^ Q Aa = T A 

R = {vy){P' I Q'{y/x]) A X tt C A y tJ C ^ Prop 

Prop 



Each all-quantified term corresponds to a possible transition by the process P \ Q. The two 
semantic rules which introduce bound names are the Comm- and the Close rules. The rule 
can be instantiated with an arbitrary term C and these bound names will be set fresh for 
that term. 

3.2.3. Problems with equivalence checks on terms. The second problem is that in case anal- 
ysis, equivalence checks between terms always appear. If these terms contain bound names, 
such as {i'x)P = {vy)Q, then normal unification is not possible. As seen in Prop. 12.21 and 
12.31 every such equivalence check produces either two cases which both have to be proven 
or one case with several permutation and freshness conditions. As an example, a rule for 
case analysis on the i/-operator with no bound names in the action can be found in the 
following proposition: 
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Proposition 3.10. The automatically generated case analysis rule for the v-operator, based 
on Prop. \2.SX where no hound name occurs in the action. 

{vx)P ^ P' 

yQQ'py.Q^Q'Ay^PA {vx)P = {uy)Q A a = f3 A P' = {i^y)Q' =^ Prop 

Prop 

The conjunct {vx)P = {i'y)Q poses a problem as we have to show Prop for all cases such 
that the equivalence holds. We can reason about this equality using either Prop. 12.21 or 
Prop. 12.31 but neither of these rules are convenient to work with. Prop. 12.21 causes a case 
explosion which forces us to prove the same thing several times for different permutations on 
terms and Prop. [231 introduces extra permutations which makes the proof more cumbersome 
to work with. We therefore use the following derived lemma in place of the original case 
analysis rule: 

Lemma 3.11. Case analysis rule derived from Prop. [WITU . 

{vx)P ^ P' 
\fP". P ^ P" A X Jj a A P' = {iJx)P" =^ Prop 
Prop 

The main idea of the proof is to find a P" which suitably depends on the universally 
quantified terms in the second assumption of the original proposition. 

The other rule which require this treatment is the case analysis rule for the parallel 
operator where the transition contains a bound name. 

Lemma 3.12. Case analysis rule for the parallel operator with a bound name in the tran- 
sition. 

p I Q Ji^^ R 

VP'. P P'Ax\^QAR = P' I Prop 

Vg'. Q ^^^^ Q'Ax^PAR = P\Q'^ Prop 
Prop 



3.2.4. Problems with multiple bound names in terms. The third problem arises when several 
bound names occur in the term that you want to do case analysis on. We have already shown 
how we can ensure that any newly generated bound names are disjoint from any context we 
might be interested in. The problem here is that since multiple bound names are present 
before case analysis starts, any properties regarding them are fixed in the environment and 
if we have a name clash, we have to do manual a-conversions. There are two rules that 
suffer from this problem, where the simplest one is the one for input-prefix. To solve this 
problem, we derive the following case analysis rule. 

Lemma 3.13. The derived case analysis rule for the input-prefix. 

a{x).P ^ P' 
a = b A P' = {x y) • P =^ Prop 
Prop 

The other rule which requires this treatment is the restriction case where a bound name 
appears in the transition. 
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Lemma 3.14. The derived case analysis rule for restriction with a bound name in the 
transition. 

x + y 

yb P". P P" Ab^xAa = BoundDutput b A P' = {x y) • P" =^ Prop 
VP". P -2^^ P"Ax^aAx^yAP' = {vx)P" =^ Prop 

Prop 

In this rule we require x and y to be disjoint. The two applicable rules from the semantics 
have conflicting requirements on the bound names - one requires them to be the same, 
and the other requires them to be disjoint. To keep the generality of the lemma, we keep 
the bound names disjoint and in the Open case permute the names in the derivative. As 
we shall se later, we will always be in a context where we can guarantee that x and y are 
separate when applying this rule. 

3.2.5. Induction. The remaining operator is the !-operator which requires an induction rule 
rather than a case analysis rule as it is the only operator which occurs in the premise of its 
inference rule, as can be seen in Fig. [H As in Lemma 13.9^ C is a parameter representing 
the names with which new bound names may not clash. 

Lemma 3.15. The derived induction rule for the \- operator. 

IP I y Hgs 

(1) Va X P' C. P P' A a; tt P A X jj C ^ Prop C (P | IP) (a<x» -< P' \ IP) 

(2) Va P' C. P ^ P' ^ Prop C (P | IP) (a -< P' | IP) 

(3) Va X P' C. IP P'Ax^PAx]^CA Prop C {IP) (a<a;> -< P') =^ 

Prop C (P I IP) (a<x> P I P') 

(4) Va P' C. !P ^ P' A Prop C (IP) {a -< P') =^ Prop C {P \ IP) {a P \ P") 

(5) yaxb P' P" C. P ^ P'A IP ^ P" A Prop C (!P) {ab -< P") Ax^C^ 

Prop C (P I IP) (r ^ P'{b/x} \ P") 

(6) Maxb P' P" C. P ^ P'A IP ^ P" A Prop C (!P) (a(x) -< P") A x ^ C ^ 

Prop C (P I !P_) (r P' I P"{b/x}) 

(7) "iaxy P' P" C. P ^ P'A IP ^ P" A Prop C (!P) (a(y) -< P") Ax^C A 

y^P Ay^C^ Prop C (P I IP) (r -< {uy){P'{y/x} \ P")) 

(8) "iaxy P' P" C. P ^ P'A IP ^ P" A Prop C (!P) (a(x) ^ P") A x Jj C A 
y ^ P Ay ^ C ^ Prop C jP \ IP) {t ^ {uy){P' \ P"{y/x})) 

Prop C (IP) Res 

Each numbered line corresponds to one way that an action can be inferred from a replication. 
Line (1) and (2) cover the case where a single process makes an action, line (3) and (4) 
perform the inductive step where a process in the smaller chain of replicated processes 
makes an action. Line (5) and (6) handle communication and line (7) and (8) handle scope 
extrusion. 

The derived lemma is an induction rule in that it has the induction hypothesis Prop 
occurring on the left hand side of the implications in the inductive rules where ! occurs. A 
simpler rule which only makes use of the inference rule for ! is available, but the proofs we 
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are interested in would have to make use of the rules for the |-operator to reason about all 
possible transitions that a process of the form IP could do. This induction rule combines 
the two in one rule. 

4. Strong bisimulation 

4.1. Simulation. Intuitively, two processes are said to be bisimilar if they can mimic each 
other step by step. Traditionally, a bisimulation is a symmetric binary relation TZ such that 
for all processes P and Q in TZ, if P can do an action, then Q can mimic that action and 
their corresponding derivatives are in TZ. 

When defining bisimulation between two processes in the vr-calculus, extra care has to 
be taken with respect to bound names in actions. Consider the following processes: 

P = a{u).{iyb)bx.O 
Q = a{x).0 

Clearly P and Q should be bisimilar since they both can do only one input action along a 
channel a and then nothing more. But since x occurs free in P, P cannot be a-converted 
into a{x).{vb)hx. However, since processes have finite support, there exists a name w which 
is fresh in both P and Q and after a-converting both processes, bisimulation is possible. 
Hence, when reasoning about bisimulation, we must restrict attention to the bound names 
of actions which are fresh for both P and Q. One of our main contributions is how this 
is achieved without running into a multitude of a-conversions. Our formal definition of 
bisimulation equivalence uses the following notion, where 7^ is a binary relation on agents. 

Definition 4.1. The agent P can simulate the agent Q preserving 7^, written P -^-ji Q, if 

(Va x Q'. Q ^^^^ Q' Ax^P^ 

3P'. P ^^^^ P' A derivative(a, x, P' , Q' , 7^)) A 

(Va Q'. Q^Q' ^ 3P'. P ^ P' A {P' , Q') G U) 

where 

derivative (a, x, P', Q' , TZ) '= 

case a of Input _ =^ Vu. {P'{u/x}, Q'{u/x}) G TZ 

I BoundOutput _ {P' , Q') G TZ 

Note that the argument a in derivative is of type subject as described in Def. 13.11 Thus, 
the requirement is that if Q has an action then P has the same action, and the derivatives 
P' and Q' are in TZ. 

Equivariance also needs to be established for simulations. More specifically, we need to 
prove the following lemma: 

Lemma 4.2. If P -^-ji Q, TZ is a subset ofTZ' and TZ' is equivariant thenp»P ~^7^' p»Q. 

Proof. By Def. 14. 1[ The intuition is to apply the inverse permutation of p to cancel it out. 
The inverse can be applied using Lemma 13.31 and the assumption eqvt TZ'. □ 
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The traditional way to define strong bisimulation equivalence is to say that 7^ is a bisimula- 
tion if it is symmetric and that for all agents P, Q it holds that (P, Q) (z TZ ^ P -^ti Q; the 
strong bisimulation equivalence is then the union of all strong bisimulations. As we shall 
see in a moment, an alternative definition using direct coinduction, similar to the approach 
in [25], yields shorter proofs. Our main improvement, however, is in the treatment of the 
bound name x. In Def. 14.11 it is by definition ensured not to be among the free names in 
P, but when we use it within a complex proof we will run into a massive case analysis on 
whether x is equal to other names used in the proof. In the same way as in Lemma 13.91 we 
bypass this tedium and derive the following introduction rule for an arbitrary nominal data 
term C. This term is provided by the user to ensure that the bound name is distinct from 
any name occurring so far in the proof. 

Lemma 4.3. An introduction rule for simulation avoiding name clashes. 

eqvt TZ 

Va X Q'. Q ^i^^ Q' Ax^C^ 

3P'. P p' A derivative(a, x, P' , Q' , TZ) 

Va Q'. Q^Q' ^ 3P'. p p' a (P', Q') G TZ 

P Q 

This is used extensively in our proofs. We can in this way make sure that whenever bound 
names appear in our proof context, these bound names do not clash with other names which 
would force us to do a-conversions. The amount of a-conversions we have to do manually 
is reduced to the instances where they would be required in a manual proof. 

Note that we need an extra requirement that our simulation relation is equivariant. 
The reason is that if the relation is not closed under permutations, we cannot a-convert our 
processes. Fortunately, all relations of interest turn out to be equivariant and the proofs 
trivial. 



4.2. Preservation properties. Our simulations are parametrised on an arbitrary relation 
TZ. We exploit this by providing, for each operator, a set of constraints on TZ such that the 
operator preserves -^-jz- This set of constraints should be kept as small as possible as they 
will have to be proven when we prove preservation properties of bisimulation. In this section 
we show all proofs that are needed to show that a relation is preserved by all operators. 
We first establish lemmas for reflexivity and transitivity. 

Lemma 4.4. Id C 7^ ^ P P 

Proof. By the definition of simulation. □ 

Lemma 4.5. P Q /\ Q -^n' R A eqvt 7^" A 7^' o TZ TZ" =^ P R 

Proof. By Lemma [4.31 and setting C to (P, Q) to make the bound names which occur in the 
transitions disjoint from P and Q. We would otherwise have to do manual a-conversions 
when traversing the simulation chain. □ 

We can now move on to our preservation lemmas. 

Lemma 4.6. (P, Q) G 7^ ^ r.P -^n t.Q 



Proof By Def. O and Prop. [331 



□ 
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Lemma 4.7. (P, Q) £ TZ ^ ab.P ah.Q 

Proof. By Def. O and Prop. [331 □ 

In order for a relation to preserved by the input prefix it needs to be closed under substi- 
tutions. We write TZ" for the closure of the relation TZ under all substitutions. 

Definition 4.8. P TZ' Q = \fa. (Pa) IZ {Qa) where 0" is a chain of substitutions. 

Lemma 4.9. (P, Q) £ TZ" A eqvt 7^ =^ a{x).P a{x).Q 

Proof. By Lemma 14.31 and setting C to (x, P). Lemma l3 . 1 3 1 can then be used to finish the 
proof. □ 

Lemma 4.10. 

P -^7^ Q 



[a = b]P [a = b]Q 

Proof. By Def. O and Prop. ESI □ 
Lemma 4.11. 

[a + b]P [a ^ b]Q 

Proof By Def. O and Prop. EZl □ 

Lemma 4.12. 

P Q 
Id c 7e 



P + S'-^nQ + S 

Proo/. By Def. Prop. ESI and Lemma 1131 □ 

The remaining preservation lemmas do not require that the relation reasoned about in the 
assumptions are the same as in the conclusions. It suffices to require them to be related by 
a set of constraints. The reason for this will be clarified when we cover bisimulation, suffice 
here to say that it makes the lemmas more general. 

Lemma 4.13. 

P-^nQ (P, Q) € 7e IdQTZ 
VP Q S. {P, Q) £1Z^ {P \ S, Q I 5) € IZ' 
VP Q X. (P, Q) gTZ' ^ {{yx)P, {vx)Q) G 7^' 

P\S-^'ji' Q\s 

Proof. By the definition of Lemma 13.121 is used to prove the cases where bound names 
occur in the transition and Lemma 13.91 is used otherwise. When using Lemma 13.91 C is set 
to (P, S). This proof will be covered more extensively in Section [5l □ 
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Lemma 4.14. 

P -^TiQ eqvt n eqvt TZ' 7^ C 7^' 
VP Q X. (P, Q)en^ {{vx)P, {vx)Q) G 7^' 

{i>x)P -^Ti' {yx)Q 

Proof. By Lemma 14.31 and setting C to (x, P). Lemma |3. 141 and 13.101 are then used for the 
case analysis. TZ has to be equivariant since the Open case introduces permutations which 
need to be appUed to the relation. □ 

The remaining preservation lemma we need is for the [-operator. For this proof we are going 
to need a recursively defined relation. This follows from the fact that the 1-operator is the 
only operator which occurs on the left hand side of the semantic rules and the proof needs 
to be done on the depth of inference and not the size of the term. 

Definition 4.15. 

Rep n = {P, Q)en^ (!P, \Q) e Rep TZ 

(P, g) G 7^ A {S, T) G Rep 7^ ^ (P [ 5, Q 1 T) G Rep TZ 
{P, Q) G Rep 7^ ^ {{yx)P, {vx)Q) G Rep TZ 

Lemma 4.16. 

(P, Q) G 7^ eqvt TZ 
VP Q. (P, Q) G 7^ ^ P Q 

'■P -Rep v}-Q 

Proof. The trick here is to include the fact that (!P, \Q) G Rep TZ in the induction hypoth- 
esis. We use Lemma 13.151 to do induction over the transitions made by the process \Q. We 
know that the processes in the relation TZ simulate each other and the induction hypothesis 
generates the simulations by the nested replications. This proof is the most extensive of the 
preservation proofs due to its many cases and the need for induction. □ 

4.3. Strong Bisimulation. Strong bisimulation equivalence can be described using coin- 
duction, i.e. the greatest fixed point derived from a monotonic function. 

Definition 4.17. Strong bisimulation equivalence, ~, is the largest relation satisfying: 
P ^ Q ^ P Q A Q^^P 

Note that we do not need to define what a bisimulation is; our coinductive definition uses 
P ~-»7^ Q directly. This defines ^ to be the largest relation such that related agents can 
simulate each other preserving ~. 

Conducting proofs on bisimulation equivalence often boils down to proving the same 
thing twice - once for each direction. With our formulation it is often easy to just prove 
one direction and let the other be inferred automatically. 

When proving that two processes are bisimilar, we pick a set X which contains the 
processes and which respects the constraints of the corresponding preservation lemma. It 
then suffices to show that all members of X are simulated preserving A' U ~. The following 
coinduction rules are easily derivable from the ones genereated by Isabelle. 
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Lemma 4.18. 

{P, Q) € ^ 

yP' Q'. (P^ Q')^X^ P' ^xvj^ Q' A Q' -^xu^ P' 

P^Q 

Lemma 4.19. 

yP' Q'. jP', Q')eX^ P' Q' A Q' P' 

The difference between the two rules is found in the goal where the weaker version requires 
the processes to be simulated preserving U ~ whereas the stronger version only requires 
them to be simulated preserving X. Unless otherwise specified, the first of the two is the 
one being used. 

The coinductive definition of bisimulation is equal to the standard one where bisimula- 
tion is regarded as the union of all bisimulation relations. 

Definition 4.20. A relation 7^ is a bisumlation relation if for all (P, Q) TZ, P -^-ji Q 
and Q P. We define ~' to be the union of all bisumlation relations. 

We find the coinductive approach easier to work with and the proof that the two versions 
of bisimilarity are equal is straightforward. 

Lemma 4.21. = r^' 

Proof. 

By definition of ~ we get for all processes P and Q where P ^ Q that P Q and 
Q P. Hence ~ is a bisumlation relation. 
<^= From the definition of ^' we get an arbitrary bisimulation relation TZ and processes P 
and Q where (P, Q) £ TZ, P ~^ti Q and Q -^-ji- That P ^ Q follows immediately by 
coinduction using lemma [4.191 where X is set to 7^. □ 

An important property of the bisimulation relation is that it is equivariant. When doing 
proofs we rely heavily on Lemma [4. 31 which requires the simulation relation to be equivariant. 

Lemma 4.22. eqvt ~ 

Proof. By coinduction using Prop. l4.18l on ~. Set X to be {{p» P, p»Q) \ P ~ Q}. Using 
Lemma 14.21 the proof is quite straight forward since ~ is a subset of X by instantiating X 
with the identity permutation. X is also trivially equivariant. □ 

Another important property of strong bisimulation is that it is an equivalence relation. 
Lemma 4.23. ~ is an equivalence relation. 



Proof. 

Reflexivity: Use coinduction and set X to the identity relation. The proof then follows 

trivially from Lemma |4.4[ 
Symmetry: Follows trivially from the definition of ~. 

Transitivity: By coinduction where A' is set to ~ o ~. The result then follows by using 
Lemma 14.51 □ 
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We can now prove one of our main theorems. 

Theorem 4.24. Strong bisimulation is preserved by all operators except the input-prefix, i.e. 



if P ^ Q then 


T.P 




T.Q 


(1) 


and 


ab.P 


rN^ 


ab.Q 


(2) 


and 


[a = b]P 




[a = b]Q 


(3) 


and 


[a + b]P 


rN^ 


[a ^ b]Q 


(4) 


and 


P + R 




Q + R 


(5) 


and 


P 1 R 




Q 1 R 


(6) 


and 


{vx)P 




{vx)Q 


(7) 


and 


IP 




\Q 


(8) 



Proof. To prove (1) to (5), Lemmas I4.6ti4.7l and 14.10114.121 are used respectively. 

When proving (7) we use coinduction and set X to {{{vx)P, {ux)Q) \ P ~ Q}. Lemma 
14.141 can then prove preservation of both simulations. 

To prove (8) we strengthen our assumption that P ~ Q to (P, Q) € Rep ~ and use 
the coinduction principle 14.191 with X set to Rep ~. The preservation properties of the 
simulations can then be inferred by induction over Rep ~ resulting in three cases from the 
derivation rules of Rep. These can be proven by Lemmas 14. 161 HT3] and [4.141 respectivelv. 

The proof for (6) is deferred to Chapter [5l □ 

We now define strong equivalence as the largest bisimulation relation closed under substi- 
tution and prove our next theorem. 

Theorem 4.25. ~* is a congruence. 

This result uses Theorem l4.24l In the preservation proof for the i^-operator the bound name 
must be a-converted to not clash with the substitution chain. We also need the following 
lemma to prove closure under input-prefix. 

Lemma 4.26. P g ^ a{x).P ~' a{x).Q 

Proof. By the definition of ~* and Lemma 14.91 □ 



5. An Example Derivation 

As an example of our proof techniques, we here present the omitted part of the proof for 
Theorem 14.24( 6) - that strong bisimulation is preserved by the parallel operator. 

The proof strategy amounts to proving simulations P ~^7^ Q. We begin by stating 
the requirements on IZ that are necessary for the proof to go through. We do this before 
instantiating 7^, since this makes the proof more general and better structured. 

Recall Lemma 14.131 which is our preservation result for the |-operator. 

(1) P Q 

(2) (P, Q) G 7^ 

(3) Id C 7e 

(4) VP Q 5. (P, Q) E 7^ ^ (P I 5, Q I 5) G 7^' 

(5) VP Q X. (P, Q) ^Ti! ^ {(yx)P, {yx)Q) € 

P I S -^n' Q I S 
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Two of these conditions concern IZ' . Condition (4) is straightforward - if P and Q are in 
TZ, then P \ S and Q \ S must be in IZ' . Condition (5) is a bit less obvious but since the 
parahel operator can introduce restrictions, TZ' must also be preserved by the z^-operator. 
Assumptions (2) and (3) ensure that the processes are in the TZ to begin with. This is not 
a prerequisite for simulation, but we need to know this in order to use (1) when a process 
stands still and we need to place it in parallel with the derivative of the other process in 

w. 

We provide a more in depth look at the proof for Lemma 14.131 
Proof. By Definition 14. II we shall show: 

(Va xT'. Q\S ^i^^ T' A X S P I 5 ^ 

3P'. P I S ^^^^ P' A derivative(a, x, P', T', TZ')) A 

(Vr a. Q \ S ^ T' ^ 3P'. P \ S ^P' A {P', T') G TZ') 

We can now do case analysis on Q | T' and Q \ S °'^^'^> T'. We get eight cases (the 

four rules for parallel composition as seen in Fig. [1] and their symmetric versions) . We will 
focus on the Close it nicely demonstrates the advantages of the nominal package. 

Using our derived case analysis rule. Lemma |3.9^ we can make sure that the bound names 
which appear in the Close-case do not clash with P by setting C to P. After induction we get: 

(6) Q "^^^ Q' (assumption) 

(7) S S' (assumption) 

(8) X tJ P (C = P in Lemma EJ]) 

(9) y jp (C = P in Lemma [32]) 

(10) 3P'. P ^ P' A derivative ((Input a), x, P' , Q') (1, 6, 8, Def. SH) 

(11) pA^p' (10) 

(12) P\S^ {uy){P'{y/x}, S') {Close, 11, 7, 9) 



(13) iP'{y/x}, Q'{y/x}) e TZ (10, Def. E 

(14) iP'{y/x} I S', Q'{y/x} \ S') G TZ' (4, 13) 

(15) {{uy){P'{y/x} \ S'), ii^y)iQ'{y/x} \ S') £ TZ') (5, 14) 
3P'. p\S^P'A (P', {uy){Q'{y/x} | S')) € TZ' (12, 15) 



□ 



The above is a step-by-step version of the Isabelle proof and it mimics the way one could 
do a strict pen-and-paper version of the proof. Note how in steps 6 and 7, the bound names 
of both transitions generated by the induction rule are set to be fresh for P. We would 
otherwise have to a-convert both transitions. As it stands, all a-conversions are abstracted 
away completely. Steps 13-15 uses the preservation properties of TZ and TZ' to prove that 
the proper derivatives are in TZ' . 

Furthermore, we have to prove a lemma on chains of restrictions, since the Close- 
operator introduces new restrictions, as was also seen in lemma [ 



Definition 5.1. {vv)P denotes a chain of restrictions applied to P where v\s a, list, possibly 
empty, of restrictions. 
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Lemma 5.2. Introduction rule for restriction chains: 

P-^nQ eqvt TZ MP Q x. {P, Q)en^ {{i^x)P, {vx)Q) G TZ 

{uv)P -^Ti {vv)Q 

Proof. By induction on □ 

The intuition behind the lemma is quite simple. If a simulation relation TZ is preserved by 
the z/-operator and P simulates Q preserving IZ, then since IZ is preserved by restriction and 
thus {vx)P simulates {vx)Q preserving 7Z for an arbitrary name x, then by induction {i'v)P 
must simulate {vv)Q preserving TZ where v is an arbitrary chain of restricted names. This 
is a general lemma which is used repeatedly when proving bisimulations using the parallel 
operator. 

We now proceed to the main proof of Theorem 14. 24l f6l using coinduction. We will need 
a set X which captures the agents we are interested in and prove the simulations which 
compose the bisimulation. We define X as {{{vv){P \ R), {yv){Q \ R)) \ P ~ Q}. The two 
simulation proofs we use reside in our main lemma since they share the same assumption, 
which is the way the proof is done inside Isabelle. 

Proof. If P '^Q then P \ R r-. Q \ R. 

(1) P Q (assumption) 

(2) {P \ R, Q \ R) e X (1, def. of X) 

In order to use coinduction using Prop. 14.181 we must prove that every pair in X sim- 
ulates preserving X \J ^. The members of X have chains of restrictions so we first have to 
use Lemma 13.91 with a specific simulation relation in order to reason about them. 

Lemma 5.3. if P -^r^ Q then P \ R -^a'u^ Q I R 

Proof. 

(i) P Q (assumption) 

(ii) VP g i?. (P, Q) E ~ ^ (P 1 i?, Q \R)£XUr^ (Def. of X) 

(iii) yP Q X. {P, Q) eXUr^ ^ (Def. of X, Lemma SJlD 

((z^x)P, {iyx)Q) £ ^ U ^ 

P I R -^A'u~ Q I R (Lemma 13.91 i-iii) 1) 

□ 

From this lemma we see why Lemma [4.13l has to have different relations in the assumptions 
and the conclusion. The simulation we can assume is P Q but the one we need to prove 
is P I P ^xu^ Q I R- 

We can now extend our simulation to include chains of restrictions. 

Lemma 5.4. If P Q then {vv){P \ R) -^a-u- {i^v){Q \ R) 

Proof. 

(i) P -^r^ Q (assumption) 
(h) P I R -^xw^ Q I R (Lemma Ea i) 

(iii) eqvt (A" U ~) (def. of X, Lemma [322|) 

(iv) VP Q X. (P, Q) £XU (def. of X, Lemma [421 

{{ux)P, {ux)Q) eXU^ 

li^{j)[p I R) -^;^u~ ii^v){Q \ R) (Lemma [521 ii-iv) 
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□ 

We can now prove our goal: 

P \ R^Q \ R (coinduction, 2, Lemma [531 Def. EM □ 

It is interesting to note that we only have to prove simulations one way. When set up this 
way, Isabelle manages the symmetric versions of the proofs automatically. Of course, if the 
relation is not symmetric, such as in the proof of {vx)P ~ P if x [j P, the two different 
directions require separate proofs, just as when doing the proofs on paper. 

6. Structural congruence 

Structural congruence rules are used to equate processes which are structurally different but 
intuitively behave in the same way. The way these rules are implemented differ in different 
formalisations. A common approach is to let the labeled transition system replace a term 
for a structurally congruent one in order to enable transitions. Another approach, and the 
one that we have chosen, is to prove that all structurally congruent terms are also bisimilar. 
The rules for structural congruence can be found in Fig. [2j 

Theorem 6.1. If P = Q then P r^Q. 

As in the previous section we need to create auxiliary lemmas for all simulations we are 
interested in. Proving Theorem I6.1l requires that every structural congruence rule is proven 
individually. We will here demonstrate the most complicated example which is to prove 
associativity of the [-operator. We will need the following two lemmas for simulation. 

Lemma 6.2. 

VP Q R. ((P \ Q) \ R, P \ {Q \ R)) en 

VP Q X. {P,Q) {{yx)P, {ux)Q) g 7^ 

VP Q P X. X tt P ^ {ii^x){iP \Q) \ R), P \ ii^x){Q \ R)) en 

MP Q Rx. x^R^ {{{vx)Ip I Q)) \ R, {vx){P \ (Q j P))) G 7^ 

{P \Q)\R'--nP \{Q\R) 

Proof. By case analysis over the [-operator. This proof contains 18 cases. The proofs 
individually are not very hard, there are just a lot of cases to cover. The assumptions used 
about the relation n are used extensively in the proof. □ 

Lemma 6.3. 

VP Q R. {P \{Q\ R), {P \Q) \ R) en 

VP Q X. (P, Q)en^ {{vx)P, {vx)Q) G n 

yP Q Rx. x^P^iP \ {vx){Q I P), {vx){{P \Q)\R))en 

'iP Q Rx. x^R^ {{vx){P I (Q I P)), ({ux){P \Q))\R)en 

P\{Q\R)^n{P\Q)\R 

Proof. Similar to Lemma |6.2[ □ 
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The structural congruence = is defined as the smahest congruence satisfying the following 
laws: 

(1) If P and Q are variants of a-conversion then P = Q. 

(2) The abelian monoid laws for Parallel: commutativity P \ Q = Q \ P ^ associativity 
{P \ Q) \ R = P \ {Q \ R), and as unit P | = P; and the same laws for Sum. 

(3) The unfolding law \P = P\ \P 

(4) The scope extension laws 

(i/x)0 = 

{vx){P \ Q) = P \ {vx)Q iixtP 

{vx){P + Q) = P+{vx)Q iix^P 

{ux)[u = v\P = [u = v]{ux)P if X 7^ n and x ^ v 

{i'x)[u 7^ v]P = [u ^ v]{i'x)P if X 7^ n and x ^ v 

{vx){iyy)P = {uy){vx)P 



Figure 2: The definition of structural congruence. 



In order to do the rest of this proof efficiently it turns out that we need to use other rules 
for structural congruence since Lemma 16.21 and 16.31 make heavy use of scoping rules. The 
coinduction rule (Prop. 14.180 allows us to work with an arbitrary relation, but to include 
the laws of structural congruence in this relation would be cumbersome. Instead we create 
the following coinduction rule. 

Lemma 6.4. Compositional coinduction rule. Let 3^ 6e o u ~) o ~. 

(P, Q)(^X eqvt X 
yp' Q'. (P^ QO e P' -wy Q' A Q' P' 

P^Q 

Proof. By coinduction and transitivity of simulation. □ 

We can now prove associativity of the [-operator. 
Lemma 6.5. (P | Q) | P ~ P | (Q | P) 
Proof. By coinduction using Lemma 16.41 and setting X to 

{{{uv){{P I Q) I P), {vv){P I {Q \ P)))}. Lemma [Q] and [6?2] can then be used together 
with the laws for scope extrusion to complete the proof. □ 

The next step is to prove that all structurally congruent terms are strongly equivalent. 

Theorem 6.6. P = Q ^ P r^" Q 

Proof. Nearly all work has already been done in Theorem 16.11 These proofs do, however, 
require manual alpha conversions when dealing with scoping rules as the cases where the 
restricted name clashes with the substitution chain must be taken into consideration. This 
is an example of where pen-and-paper proofs often are less rigorous than strictly required. 

□ 



22 



J. BENTSON AND J. PARROW 



The proofs we have done in this section are not overly comphcated but require a sohd 
attention to detail. Many of the proofs have many cases and even though the results have 
never been in doubt, having them fully machine checked convinces us that no case has 
been overlooked. Moreover, without the framework to abstract away from bound names 
the amount of cases for all different a-variants would have been very much larger. 

7. Weak bisimulation 

7.1. Basic definitions. Weak bisimulation equivalence is often called observation equiv- 
alence. The intuition is that r-transitions are considered internal and hence invisible to 
the outside environment. For two processes to be observation equivalent, they only need to 
mimic the visible actions of each other. More formally, we reason about a r-chain P P' 
as the reflexive transitive closure of r-actions, i.e. P =^ P' '= P P' . A weak transition 
is then said to be an action preceded and succeeded by a r-chain. 

Weak late bisimulation is complicated for input actions. It requires substitutions made 
as a result of the input to be applied immediately to the input derivative before the suc- 
ceeding r-chain is executed, and that one such derivative can continue to simulate for all 
possible received names, see e.g. [35]. Therefore the weak late semantics needs to carry 
additional information in the labels as follows. 

Definition 7.1. 

P " > p' =^ p ^ I- " p' 

p ajxl, pi 4|f p JL^ aix)^ JU, pi 

P ^■■<'(^)®P\ pi "^=1^ p pii A P"{u/x} ^ P' 

Residuals are written in the same way for weak as for strong transitions, except for the input 
case which is written u : a{x)@P" -< P' . A transition can also be written as P Res 
where Res is a residual. 

The transition P p' means that P can do a r-chain and then a(x) to an agent 

P" where x is substituted for u and another r-chain is done to P'. The agent P" represents 
the exact state where the substitution is made. This will be important when we define weak 
simulation. 

Note that the bound name x in the bound output case is bound in P' and normal a- 
conversions can be applied. Also, even though we are modeling a late semantics, the name 
X is not bound in P' in the input-transition as it is substituted for u before the r-chain. 
We can still do a-conversions through the following lemma: 

Lemma 7.2. if P "^"(^)®^";. p' and y ^ P then P v^'P"-, pi 

We also need to weaken the transitions in the standard way: 

Definition 7.3. Weak late transitions 

p^pf drf p^p/-f^^^ 

P ^» P' otherwise 
We can now define weak late simulation. 
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Definition 7.4. The agent P can weakly late simulate the agent Q preserving TZ, written 
P Q, if 

(Va X Q'. Q ^ g' Ax^ P^ 

3P'. P ^ P' A (P', Q') en) A 

(Va X Q'. Q ^ Q' Ax^P^ 

3P". Vu. 3P'. P ^--^M^P"', p' A {P\ Q'{u/x]) en) A 

(Va Q'. Q^Q' ^ 3P'. P ^ P' A (P', Q') G 7^) 

The important aspect of weak late simulation is the fact mentioned above - that an input- 
action a{x) must be matched by a weak transition with the same input derivative P" 
for all possible instantiations u of the bound name. From our definition, we can derive 
an introduction rule for weak simulation similar to the one done for strong simulation in 
Lemma 14.31 

In the standard way we define another version of simulation :S> where we require the 
simulating process to do at least one action to mimic the simulated agent. The definition 
of c5> is the same as for ?§> except that the simulating process in the last conjunct uses =^ 
instead of 

Definition 7.5. P =>7^ Q if 

(Va X Q'. Q ^ Q' Ax^P^ 

3P'. P ^ P' A (P', Q') en) A 

(Va X Q'. Q ^ Q' Ax^P^ 

3P". Vn. 3P'. P ^■■'^^^^^P") . p' A (P', Q'{u/x}) en) A 

(Va Q'. Q^Q' ^ 3P'. P ^ P' A {P\ Q') e n) 



7.2. Lifted semantics. Our preservation proofs for weak transitions are very similar to 
the corresponding proofs for strong transitions. We achieve this by lifting the operational 
semantics, i.e. mapping each rule from Fig. [T]to a corresponding rule using weak transitions. 
The following transition system can be derived for the transitions defined in Def. 17.11 

Lemma 7.6. The lifted semantics for the transitions defined in Def. \ 7.1\ 

u:a(x)@p^ P{n/x} Input ab.P^P Output t.P ^ P Tau 

P ^ Res P Res aj^b 

Match — — Mismatch 



[a = a]P Res [a / b] |=^ Res 

pM^P' a^b p^ Res P ^■■<^)®P"', p' x^Q 

(^b)P m P' ^P""" P + Q^Res ^"""^ pfQ^^^pH^ 

p ^ p' xiQ 

■ ^ rf-^ Par BO 

P Q ^ P' Q 



Parin 
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p __QU. pi p h:a(x)®P'\^ pi q _ab^ qI 

ParF ; = — ; Comm 



P\Q^P' \Q P\Q^P' \Q' 

p r.a(.)mp". _ p> Q^Qi y^p pm,P' y^[a, X) ^ 
P\Q^i.y)(P'\Q') {.y)P^{.y)P' 



X u a 



p u:a(x)mP'\ ^ P' y^{a, u, x) P^P' 
{uy)P -■■-^-)^i'^y^i ^ (^y)p' ^ ^^^^ 

p \\p ^ Res 

— : — ; Replication 

\p Res ^ 

When trying to lift the semantics to the transitions defined in Def. 17.31 we encounter diffi- 
culties. The rules which do not have =^ in the assumptions trivially follow from Lemma 
ni but of the remaining, only ParF and ResF can be lifted. 



Corollary 7.7. The lifted rules for ParF and ResF. 

P^P' p^p' xia 

ParF - — ^ — — ResF 



P\Q^P' \Q {vx)P ^ {vx)P' 

The operational rules from Fig. [1] that we cannot be lifted in this manner, as opposed to 
the ones in Lemma l7.61 are Match, Mismatch, Sum and Replication in the case where 
a = T and P = P'. 



7.3. Preservation properties. To prove preservation properties for weak simulations we 
need to lift the preservation proofs from strong simulations to weak ones. For ::S> this turns 
out to be unproblematic. The lemmas require the same assumptions to be proven with 
the addition that we sometimes need to know that if (P, Q) (z TZ then P Q. The 
reason for this is that after following a r-chain, we need to know that we are still inside 
the simulation. For r3>, however, the lemmas that we could not lift in Cor. 17.71 need their 
assumption strengthened. These lemmas are: 

Lemma 7.8. 

P^nQ 

VP Q a. (P, Q) en^{[a = a]P, Q) e 7^ 
[a = b]P [a = b]Q 

Proof. By the definition of p3> and Prop. [3^61 In the case where the r-transition stands still, 
the second assumption is used to prove that the derivatives are still in TZ. □ 

Lemma 7.9. 

P^TZQ 

yP Q ab. {P, Q) GTlAa^b^ {[a^ b]P, Q) £ TZ 
[a + b]P [a + b\Q 

Proof. By the definition of p3> and Prop. [3^1 In the case where the r-transition stands still, 
the second assumption is used to prove that the derivatives are still in TZ. □ 
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Lemma 7.10. 

(P, Q) € 7^ eqvt 7^ 
VP Q. (P, Q) ell^ P ^nQ 
VP Q. (P I !P, Q) € 7^ ^ (!P, Q) € 7^ 

!^ --Rep n'-Q 

Proof. Similar to Lemma 14.161 but when a r-action stands still the fourth assumption is 
used. □ 

The other preservation lemmas look the same as their strong counterparts. Their proofs 
need to treat input-actions differently as there is a noticeable difference in how input-actions 
are treated in strong and weak simulations. Other than this, the proofs follow the same 
pattern. 

Weak bisimulation equivalence is defined using coinduction in exactly the same way 
as strong bisimulation. As a result, all coinduction rules which were generated for strong 
bisimulation are also generated for weak. 

Definition 7.11. Weak bisimulation equivalence, ~, is the largest relation satisfying: 
P Q ^ P ^Q P 

Weak bisimulation is not a congruence since it is neither preserved by the -|— operator nor 
by the input-prefix, but it is preserved by all other operators. 

Theorem 7.12. ~ is preserved by all operators except + and input prefix. 

Proof. The first step in in this proof is to use the lifted preservation rules for weak simulation. 
In order to prove preservation of Match, Mismatch and Replication, we need the results 
P ^ [a = a]P, P ^ [a b]P when a / 6 as well as the structural congruence result 
P I !P !P. □ 

To obtain a congruence we follow the standard procedure. The proofs of the preservation 
lemmas for :2> are similar to their strong counterparts since all rules from the operational 
semantics can be lifted using Lemma 17.61 
We can now define weak congruence. 

Definition 7.13. P^Q = P Q A Q P 

Note that this is not a coinductive definition since it refers to ~. The proof that = is 
preserved by all operators except input-prefix corresponds closely to our corresponding 
proof for ~. The proof that is a congruence follows in the same manner. 

Theorem 7.14. = is preserved by all operators except input-prefix. 

Proof. This proof is nearly identical to the one for Theorem l4.241 but we use our preservation 
proofs for 2j> instead of the ones for □ 

Lemma 7.15. is a congruence 

Proof. Similar to Lemma |4.25[ □ 
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7.4. Relationships between equivalences. We prove that ~ ^ — ^ Ri. Among other 
things, this impUes that the weaker bisimlation equivalences contain structural congruence. 
The first part of this proof is to establish correspondance properties between the different 
types of transitions. 

Corollary 7.16. 

IfP ^P' thenP^P' 
jfpA^p' then P P'{u/x} 

Proof. Follows from the definition of P j=^ Res by adding empty r-chains before and after 
the transitions. □ 

The next step is to do the same for simulations. 

Corollary 7.17. If P Q then P Q 

Proof. By the definition of ^ and Cor. 17.161 □ 
And finally for weak congruence. 
Corollary 7.18. If P Q then P^Q 

Proof. By the definition of ~, = and Cor. 17.171 □ 
The corresponding proof for our congruence relations follow trivially. 
Corollary 7.19. If P Q then P Q 

Proof. Follows from the definitions of and Cor. I7.18[ □ 

We can use the same technique when reasoning about weak bisimulation. 
Corollary 7.20. If P ^ P' then P ^ P' 

Proof. Follows from the definitions of =^ and =^ as =^ can do everything =^ can do 
except doing an empty sequence of rs. □ 

Followed by simulation 

Corollary 7.21. If P ci> Q then P ^ Q 

Proof. Follows from the definitions of :5>, and Cor. 17.20] □ 
And finaly for weak bisimulation. 
Corollary 7.22. If P = Q then P 

Proof. Follows from the definitions of ~, = and Cor. I7.21[ □ 
Using the techniques above our results follow as a simple corollary. 
Corollary 7.23. 

IfP = Q thenP^ Q 
andP^Q 
and P^' Q 

Proof. Follows from Theorem 16.61 and Corollaries 17.181 17.221 and 17.191 □ 



FORMALISING THE tt-CALCULUS USING NOMINAL LOGIC 



27 



7.5. The Hennessy Lemma. As an example we prove the Hennessy Lemma. 
Theorem 7.24. P Q iff t.P ^ Q y P ^ Q y P ^ t.Q 

Proof. We first prove the lemma in the direction left-to-right. We will need the following 
auxiliary lemmas. 

Lemma 7.25. // P ^-ji Q then t.P c^t^ Q 

Proof. By the definition of The interesting case is the Q does a r-action, and t.P can 
always mimic that with at least one step since P Q. □ 

Lemma 7.26. 

P^nQ 

vg^ Q^Q'^ {p, Q') i n 

Proof. This follows from the definition of R5> and c2>. The only difference being that for a 
r-transition, the simulating process by R3> can do an empty sequence of rs. whereas in c2> 
it cannot. In our assumptions we remove this option. □ 

Lemma 7.27. If P ^ P' and {P', Q) e TZ then P c^n t.Q 

Proof. Follows from the definition of cs>. □ 

We can now complete our proof for the left-to-right direction of the Hennessy lemma by 
doing proofs on the following cases: 

(1) gP'.P ^ P' AP' 

(2) 3Q'.Q ^Q' AP^Q' 

In the case that 1 or 2 holds we use Lemmas 17.251 and 17.271 to prove the first and third 
disjunct. In the case that neither hold, Lemma 17.261 can be used for both directions of the 
bisimulation. This concludes the proof in the left-to-right direction. 
We will need the following lemmas for the direction right-to-left. 

Lemma 7.28. // t.P cs>-ji Q then P Q 

Proof. By the definition of sj>. If Q does a r-action and t.P simulates by doing a single 
r-step, P can stand still and end up in the same state. Otherwise, P can always move to 
the same state as t.P by doing one less r-step. □ 

Lemma 7.29. 

P T.Q 
VP' Q'. {P', Q')Gn^ P' Q' 

P^nQ 

Proof. From the definition of ^ we get a r-chain P =>r P' for some P' where (P', Q) € TZ. 

We also know that P' Q- By the definition of ?§> we can add the chain P P' to 

any simulation of Q. □ 

To finish the the proof we use Lemmas 17.281 and 17.291 for the first and third disjunct and 
Cor. 17.221 for the second one. □ 
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a{x).P P{u/x} Input ab.P P Output t.P P Tau 



P I — >e Res 
[a = a]P I — >e Res 



Match 



{ub)P P' 



P I Q ^pTQ 



ParB 



Comm 



P\Q^eP' \Q' 

p P' ^) 
P I !P 



Res a 7^ 6 



[a 7^ 6]P I — >e Res 



P 



Res 



P + Q I — >e Res 
P^P P' 



Mismatch 



Sum 



P\Q^eP' \Q 

P^eP' Q^eQ' y^P 



ParF 



P\Q^e {yy){P' I Q') 



Close 



ResB 

I — >p Res 



P^, P' 



y B a 



!P 



Res 



Replication 



7 ResF 



Figure 3: The Par- and the i?es-rule in the early operational semantics are still split, but 
the input action contains no bound names. Symmetric versions have been elided. 



8. Early semantics and bisimulation 



8.1. Early semantics. In the early semantics the input action carries the name received 
rather than a bound name, so we have that the process a{x).P can receive all names u 
doing an action au and ending up in the derivative P{u/x}. The main difference to late 
semantics is that substitution is done at the input prefix rule, i.e. as early as possible, and 
not during communication. 

The way we write actions differ somewhat from the late semantics. We write the early 
transitions in a similar way, but with a subscript e to differentiate them from the late ones. 
Moreover, In the early semantics, a transition can include an input-transition as it 
does not contain a bound name. The intuition is that an action is denoted a if it contains 
no binders. As a result, our Isabelle definition for early residuals need to be changed. 

Definition 8.1. The early residual datatype. 

datatype freeRes = InputR name name 
I OutputR name name 
I TauR 



nominal_datatype residual = BoundOutputR name "«name» pi" 

I FreeR freeRes pi 
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8.2. Early bisimulation. The definition of early simulation is similar to its late coun- 
terpart. The difference between the two is that no distinction has to be made for the 
input-action as the substitution takes place before any communication is made. 

Definition 8.2. The agent P can early simulate the agent Q preserving 7?., written P ~~>e7e Q, 
if 

(Va X Q'. Q Q' Ax^P^ 3P'. P P' A (P', Q') € 7^)A 

(Va Q'. Q^^Q'^ 3P'. p p' a {P' , Q') e TZ) 
Bisimulation is again defined using our standard coinduction technique. 
Definition 8.3. Early bisimulation equivalence, ~e, is the largest relation satisfying: 

P^eQ^P ^e~e Q A Q ^e~e P 

All the preservation proofs and congruence results for late bisimulation have also been done 
for early. This did require creating rules for case analysis on the early operational semantics 
in a similar way as was done for late. We have created the library of preservation lemmas 
similar to the one for late semantics. This work was pretty straightforward and the two 
libraries work in the same way except for how they treat input actions. Once this was 
done, the proofs for early bisimulation were nearly identical to their late counterparts and 
required very little extra work. 

Theorem 8.4. ~e is preserved by all operators except input-prefix. 
Theorem 8.5. ~g is a congruence. 



8.3. Weak early bisimulation. We have also proven our results for weak early bisimula- 
tion. We use the same technique as we did for weak late bisimulation by lifting the early 
operational semantics to a weak counterpart. The weak early operational semantics can be 
written on a simpler form, however, as weak early simulation does not require any knowl- 
edge of the point that a substitution was made. A weak early transition is hence written 
or =^65 where a is an arbitrary transition. 



Lemma 8.6. The lifted semantics for the weak early operational semantics. 

a{x).P^eP{u/x} Input ab.P P Output t.P^^P I^u 

P Res P'^eRes a^h P P' a + h 

; — ; Match — — Mismatch — — =777, ^ Open 

[a = a]P |=^e Res [a ^ h\ |=^e Res {yh)P 

P Res P P' X'^ Q P P' 

P + Q^.Res ^""^ P\Qm.P' \Q P \ Q P \ Q 

P^,p' qM^,,Q' ^ P^,P Q^eQ' y^P ^, 

P\Q^.P\Q' PlQ^eM(P'IQ') "^'^'^ 

P P' y tt (g, x) P^^P' xja P\\P^e Res 

— ; — ^rj—, — - — - — ; — ResB - — — - — 7 ResF ; Rephcation 

{iyy)P {py)P' {vx)P {l^x)P' \P ReS 
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This semantics is very similar to its late counterpart. The reason for this is that in the 
weak late operational semantics, the instantiations of input bound names occur inside the 
transition before the succeeding r-chain. This becomes apparent when we compare the lifted 
rules for Input. In the late semantics, it looks like an early transition since it contains the 
name u received in the input. The rules Close and Comm also behave in the same way. 
We have proven Lemmas 18.131 [8T^ 18.151 18.161 and Theorem 18.171 for the correspondence of 
the weak late and early transition systems. 

We do encounter the same problem when trying to lift the =^e transitions in that 
Match, Mismatch, Sum and Replication cannot be lifted, for the same reason as in the 
late semantics. The lifted early rules correspond more closely to their strong counterparts 
than the lifted late rules correspond to theirs. The weak early and late rules are very simi- 
lar to each other since the Input-rules behave in the same intuitive manner. The difference 
between the two semantics is not so much in the operational rules as in the definition of 
simulation. 

Definition 8.7. The agent P can weakly early simulate the agent Q preserving 7^, written 
P P3>e7^ Q, if 

(Va X Q'. Q Q' A X tt P ^ 3P'. P P' A (P', Q') G 7^) A 

(Va Q'. Q^^Q' ^ 3P'. P P' A (P', Q') E 7^) 
Definition 8.8. Weak early bisimulation equivalence, ~e) is the largest relation satisfying: 

P^eQ = P ^e^e Q/\Q ^e«, P 

Theorem 8.9. ~ is preserved by all operators except + and input-prefix. 

Proof. Similar to the proof for Theorem I7.12[ □ 

Weak early bisimulation is not a congruence for the same reason as weak late bisimulation, 
and in order to create a congruence we need to define a weak early congruence simulation, 
cj>e, by replacing the in Def. 18.71 by =^e- 

We can now define our weak early congruence. 

Definition 8.10. P^^Q = P cs>e^, Q A Q P 
Theorem 8.11. =e is preserved by all operators except input-prefix. 

Proof. Similar to the proof for Theorem I7.14[ □ 
Lemma 8.12. =g is a congruence. 

Proof. Proved in a similar way as Lemma 17.151 □ 



8.4. Relationships between equivalences. Not surprisingly, strong early and weak early 
relations enjoy the same inclusion properties as their late counterparts, i.e. ~e ^ — e ^ ~e- 
Furthermore, ~ ^ ~e- 

The proof for the latter is more involved and requires correspondance proofs between 
strong early and late actions. The connection we have proved between them is that every 
early r-transition has a corresponding late r-transition and vice versa. More precisely, the 
following lemmas are proven: 
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Lemma 8.13. P P' iff P ^ P' 

Proof. By induction over the possible output transitions. □ 
Lemma 8.14. P P' iff P ^ P' 

Proof. By induction over the possible bound output transitions. 

Before induction, the transitions are a-converted such that x is fresh for a and P. In the 
Open cases, Lemma [8. 131 is used. □ 

Lemma 8.15. If P P' then P P'{u/x} 

Proof. By induction over the possible input transitions. Before induction, the late transition 
is a-converted such that x is fresh for a, u and P. □ 

Lemma 8.16. If P P' then for all name contexts C, there exists an x and a P" s.t. 
P ^ P", P' = P"{u/x} andx^C 

Proof. By induction over the possible input-transitions. When doing the induction, the last 
conjunct of the goal is not used but only the first two ones. We can then take the results 
from the induction and eliminate the existential quantifiers, pick a new fresh name x' which 
is fresh for P" and C and instantiate the goal with x' and (x x') • P" . □ 

We can now prove our theorem. 

Theorem 8.17. P P' iff P ^ P' 

Proof. By induction over the possible r-transitions. In the Open, Comm and Close cases. 
Lemma KW. KW. Km and KM are used. □ 

We can now continue with our correspondence proofs between late and early semantics. 

Lemma 8.18. If P -^tz Q then P -^eiz Q 

Proof By case analysis of Def. E2l Lemmas [8J3l [SHI KT5[ KW and Theorem [8171 are 
used to transform the early simulations to late ones and back again after applying Def. 14.11 
Lemma 18.161 has the context C instantiated as P to ensure that the generated bound name 
is fresh for P as required by Def. 14. 1[ □ 

We now prove that all late bisimilar processes are also early bisimilar. 

Theorem 8.19. //P ~ Q then P Q 

Proof. By coinduction using Prop. HTT9] and setting X to ^. Lemma 18.181 then proves our 
goal. □ 

Corollary 8.20. If P Q then P ^IQ 

Proof. Follows trivially from Theorem 18. 191 □ 
With these we can very easily prove our theorems about structural congruence for early. 
Corollary 8.21. 

IfP = Q thenP rs.^ Q 
and P Q 

Proof. Follows trivially from Theorems 16.11 18.191 16.61 and Cor. 18.201 □ 
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Finally, for the weak early semantics: 

Corollary 8.22. 

IfP ~e Q thenP^e Q 
IfP^l Q thenP^l Q 
IfP Q thenP^e Q 

Proof. Similar to their corresponding proofs in section 17.41 □ 

From this our structural congruence results follow trivially. 

Corollary 8.23. 

IfP = Q thenP^e Q 
and P Q 
and P^IQ 
and P ^IQ 

Proof. From Theorems 16. H 16.61 and Cor. 18.221 □ 

9. Results and Conclusions 

9.1. Current Status. We have used the new nominal datatype package in Isabelle to 
model the vr-calculus and our results are very encouraging. We have proved a substantial 
part of [30], in particular preservation properties of strong and weak bisimulation for both 
late and early operational semantics. Other results include that all late r-transitions have 
a corresponding early one and vice versa and that all late bisimulation relations have an 
early counterpart. Moreover, we have proven that all the bisimulation relations we have 
investigated contain structural congruence. We have created a substantial library concerning 
the fundamental mechanisms in the vr-calculus, such as substitution and transitions. One 
of our main contributions is that the proofs resemble the ones on paper very closely, since 
we make precise the traditional "hand waving" with respect to bound names. Since we are 
using Isabelle, we can write our proofs in a very readable form using Isar [47J . We believe 
this to be the most extensive formalisation of a process calculus ever done inside a theorem 
prover. 

In recent work we put our formalisation to the test by proving that the axiomatisation 
of strong late bisimilarity is sound and complete pi)J. The proofs were complex, but again 
mapped their pen-and-paper equivalents very closely and we made extensive use of the 
foundation provided in this paper. 

The nominal package is still work in progress and it is constantly being updated. One 
recent addition allows for users to define functions on their nominal datatypes using an 
automatically generated recursion combinator [44]. At the moment the only function we 
use is substitution. 
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9.2. Related Work. The vr-calculus has been subjected to many attempts at formahsa- 
tions. Gabbay made a formahsation in [20] utihsing FM set theory, the precursor of nominal 
logic. His work is mathematically close to ours. The rest of this section will focus mainly 
on formalisations which have been subject to mechanisation inside a theorem prover. Early 
sketches in HOL include |31l 126] . Later attempts have also been made using de-Bruijn in- 
dices where names are encoded using natural numbers. The most extensively used approach 
is higher order abstract syntax (HOAS) where weak HOAS is the technique most similar to 
ours. We here comment on the more important approaches. 

de Bruijn indices are heavily used in software which reasons about terms with binders; 
an example for the 7r-calculus is the Mobility Workbench [26]. They work well in these 
environments as they have very nice algorithmic properties. However, these properties do 
not provide an intuitive mathematical framework. In [2^, Daniel Hirschkoff formalised a 
subset of the vr-calculus excluding sum, match and mismatch in Coq using de Bruijn indices. 
The theories formalised was that early bisimulation is a congruence as well as the structural 
congruence results. Preliminary work was also made to help formalise Milner's encoding of 
the A-calculus [29] . Hirschkoff writes the following: 

Technical work, however, still represents the biggest part of our implementa- 
tion, mainly due to the managing of de Bruijn indexes. . . Of our 800 proved 
lemmas, about 600 are concerned with operators on free names. 

Fraenkel Mostowski set theory was one of the first serious attempts to fomalise nomi- 
nal logic. It is standard ZF set theory but with an extra freshness axiom added. In pO] . 
Gabbay formalises a portion of the vr-calculus in FM. In this approach a N-quantifier (new 
quantifier) is used to generate names which are fresh for the current context. The nominal 
package does not provide support for this quantifier, but the same effect is achieved by 
instantiating our rules with a set of context names. Gabbay also started work on incor- 
porating a framework for FM inside Isabelle [19] with which formalisations such as ours 
could be made. Unfortunately, this early version of nominal logic was incompatible with 
the axiom of choice and had to be used in Isabelle/PURE - a bare boned set of theories. 
This choice of framework was necessary since Isabelle/HOL contains the axiom of choice, 
but the attempt was later abandoned. 

HOAS has been used to model the vr-calculus in both Coq [25], by Honsell et. al., and 
in Isabelle by Rockl and Hirschkoff [39]. In [25] the late operational semantics is encoded 
together with late strong bisimulation. The proved results include that the algebraic laws 
presented in [30j are sound where the non-trivial proofs include preservation results for 
bisimulation and the results for structural congruence. When using HOAS terms, binders 
are represented as functions of type name->term. However, if these functions range over the 
entire function space they may produce exotic terms, so the formalisations need to ensure 
that those are avoided. In [39], a special well-formedness predicate is used to filter out the 
exotic terms. Another problem is that since abstraction is handled by the meta-logic of the 
theorem prover, reasoning about binders at the object level can become problematic. In 
[25] we can read: 

The main drawback in HOAS is the difficulty of dealing with metatheoretic 
issues concerning names in process contexts, i.e. terms of type name->proc. 
As a consequence, some metatheoretic properties involving substitution and 
freshness of names inside proofs and processes, cannot be proved inside the 
framework and instead have to be postulated. 
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Our approach is completely free from any extra axioms, and since nominal logic is a first 
order approach we do not have exotic terms. Moreover, freshness conditions are part of the 
nominal infrastructure and all such conditions are explicitly known at the object level and 
do not have to be postulated, thus no extra infrastructure for choosing particular names is 
needed. 

9.3. Impact and Further Work. Theorem provers suffer from a somewhat well-deserved 
reputation of being hard to use for the uninitiated. However, having theories formalised 
by a computer has significant advantages and making theorem provers easy to use for the 
general engineer is a high priority. We believe that our work helps in this venture. The 
challenging part has been to create inductive rules and easy-to-use definitions for simulation 
and bisimulation. With this done the actual proofs done in the theorem prover are not much 
harder than the ones done on paper. 

Our next goal will be to provide support for model- and bisimulation checking on 
actual protocols such as ad-hoc routing. Particularly processes with infinite state space are 
of interest as these cannot be handled by automatic tools like the Mobility Workbench. 

There are several variants of the vr-calculus, polyadic vr-calculus and higher order vr- 
calculus just to name two. We believe that our definitions for simulation and bisimulation 
can easily be transfered to many other calculi. 
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